Simon Crosby ‘Inverts Your Brain’ With Tiny Virtual Machine

Simon Crosby -- the man behind the virtualization software that underpins Amazon's cloud -- has built a new breed of virtualization. Photo: Bromium

Google’s Chrome browser was built to keep every webpage you visit from attacking everything else on your machine. Each browser tab sits in its own security “sandbox,” isolated not only from other applications and your machine’s core operating system, but from every other browser tab. Google has even built a tool that seeks to protect your machine when your browser runs “native code” — code that talks directly to your hardware.

But Simon Crosby says all this Google security is flawed. He says Google’s sandbox is inadequate simply because it’s software written by mere mortals, and he calls Google Native Client “nonsense.”

“These methods fail because they require humans to write code, and wherever you have code, you have vulnerabilities,” he says. “[Chrome’s sandox] is a massively broad interface. It’s no surprise that Chrome still has zero-day vulnerabilities.”

“This is a complete paradigm shift, and it will invert your brain. We call it virtualization, but to understand it, you need to forget everything you know about virtualization.”

– Simon Crosby

This is just how he talks. Simon Crosby is known for his, shall we say, incisive opinions on the giants of the tech world. But he’s also known for creating the Xen hypervisor — the open source software that helps run virtual machines across Amazon’s massively popular cloud service and so many other online operations — and there’s usually a purpose to his frank criticism. In flaming Google, his aim is to show that he and his new company, Bromium, have built a security tool that succeeds where the search giant ostensibly fails.

Yes, Bromium’s new tool involves virtualization — the art of creating software that’s separated from the software and hardware running beneath it. But he says the company has created an entirely new form of virtualization. He calls it micro-virtualization, and the idea is to protect your machine from every malicious piece of code you may click on, including rogue web addresses, email attachments, and other files.

Humans, he says, will always click on malware. We’re just gullible that way. But Bromium uses tools built into Intel’s existing microprocessors to isolate rogue code from the rest of your machine. “This is a complete paradigm shift, and it will invert your brain,” Crosby says. “We call it virtualization … but to understand it, you need to forget everything you know about virtualization.”

Tapping into microprocessor hardware originally designed to facilitate the use of virtualization, the tool extends the idea of Google’s sandbox to all other applications on your machine, and according to Crosby, it’s less vulnerable to attack because the code used to build is minuscule compared to the code behind software such as a Google’s sandbox. Most of the work, he says, is done with hardware. “We use hardware virtualization to isolate between different boundaries of trust. It’s a hardware backstop for whenever we cross one of those boundaries.”

Asked to comment on Crosby’s comparison between Bromium and Google Chrome’s security, Google told us it didn’t have enough information on Bromium to adequately respond. But it did defend its security record as “strong.”

Revealed today at a conference in San Francisco, Crosby’s micro-virtualization technology is still in the “beta” test phase. It has no price tag at the moment, and Crosby himself admits there are parts of this creation that still need honing. But he’s adamant the tool will revolutionize computer security within the world’s businesses.

Judging from Crosby’s description of the tool, security researcher Joanna Rutkowska questions whether it’s as useful as Crosby says it is. But at first blush, she does see this as extension of the trend towards security that provides better isolation between disparate applications running on the same machine. This includes not only Google’s Chrome sandbox but the “Protected Mode” Microsoft now offers with its Internet Explorer browser and the various sandboxes Google has helped build for plugins such as Adobe Flash.

“It seems like Bromium avoided addressing any of the hard problems of the desktop computing, focusing instead on the most basic form of application isolation,” says Rutkowska. “[But] this…should not be automatically interpreted as a useless solution. Providing even basic isolation between applications is always a good thing. After all, until recently, most desktop OSes, such as Windows or Mac, practically didn’t use any form of isolation between apps.”

It should be noted, however, the Rutkowska is also using the virtualization tools built into microprocessor to build a security system that seeks to go well beyond Bromium’s technology.

But Crosby argues his tool is superior because it can be readily installed on existing operating systems and is far easier to use. Your OS continues to work as it always did, and you can take your machine onto any network — at least in theory.

“You can’t just build a big wall around everything. A [business] that is completely locked down is not productive,” he says. “Humans inherently like to go out into the world to be productive, whether it’s hunting and gathering or going to Starbucks with a business colleague to discuss a deal, browsing the web and opening an attachment.”

So, What The Hell is a Microvisor?

With Xen, Crosby created something fairly similar to VMware’s vSphere hypervisor — though he wouldn’t like us saying that. In his mind, Xen is unique. But like vSphere, Xen is a way of running many virtual servers on a single physical machine, each with their own operating system. In order to facilitate this setup, the Xen hypervisor taps into specific virtualization-related instructions built into microprocessors from Intel and AMD, and at least on the Intel side, this same virtualization hardware provides the basis for Bromium’s “microvisor.”

But this tool is not a way of running multiple operating systems on a single machine. It creates what Crosby calls a “lightweight” virtual machine that’s used to isolate individual application tasks from the rest of the system. “The Microvisor uses hardware virtualization to guarantee that micro-VMs are isolated from the OS and each other,” reads a whitepaper provided by Bromium. “It protects enterprise assets by restricting the ability of each micro-VM to access data, networks and other system resources.”

Basically, the virtualization hardware built into a microprocessor runs virtual machines in a way that restricts their access to other parts of the system, and Bromium has applied this same isolation to individual applications tasks. If an application task tries to access core system resources, the hardware will stop it, Crosby says, and ask the microvisor how to proceed. The microvisor then evaluates the request under the “principle of least privilege,” which essentially means it only provides access to resources needed to complete that task.

If you click on the url for Facebook.com, for instance, the only resource that task needs access to the public internet and the browser cookie for the social networking site. The microvisor, Crosby says, would provide access to this but nothing else.

“Bromium is marketing their solution using the buzzword ‘virtualization,’ but I would be cautious to consider any isolation immediately strong, just because it relies on virtualization, or even hardware virtualization.”

– Joanna Rutkowska

The trick, Crosby says, is that you can install the tool on an existing desktop operating systems, such as Windows. You needn’t install it on bare-metal hardware before the operating system is installed. “Every single x86 client that ships today includes hardware virtualization,” he says, referring the x86 processor instruction set, the de facto standard for modern desktops and notebooks, “so it’s immediately useful in this context…and there’s no noticeable change to the way the user behaves.”

On a PC with 4GB of memory, Crosby says, Bromium can create and run 100 to 150 of these tiny virtual machines. And according to Crosby, these can be applied to any existing application.

Rutkowska acknowledges that there’s something to be said for this — and that her Qubes OS requires a far more complicated setup. It’s an entirely new operating system. But she warns against viewing Bromium as a solution to all security woes. “Bromium is marketing their solution using the buzzword ‘virtualization,’ but I would be cautious to consider any isolation immediately strong, just because it relies on virtualization, or even hardware virtualization.”

She says that hardware virtualization brings little security advantage over the traditional hardware isolation mechanisms used by processors for decades to separate the operating system kernel from software run by the user. Even
though we have seen hackers exploit countless security holes in many operating
systems in the last 20 years or so, she says, none of those attacks undermined
that older form of isolation. They always attacked the software interfaces build around them.

This includes interfaces used for disk and filesystem virtualization, networking
virtualization, and GUI virtualization, she says.

So, Rutkowska says, if we replace this older isolation with hardware virtualization a la Bromium, but keep similar software interfaces around, the game is not significantly changed.

But Crosby argues that his micro-visor is very much a step forward. Like Google Chrome, it provides added protection, but unlikes Chrome, the software itself is less prone to attack. The Bromium software that isolates each application task, he says, involves only about 10,000 lines of code. “It’s a very simple interface that’s consistent across all applications you use,” he says. “We’ve basically gone from 100 million lines of vulnerability on today’s desktops — which is 10 to the 8th — down to 10,000 lines — which is 10 to the 4th.”

In other words, it’s not nearly as vulnerable to attack as Google’s Chrome sandbox. Or at least, that’s the claim from Simon Crosby.

Update: This story has been updated to add comment from Google and to correct and expand on comments from Joanna Rutkowska.